Cloud

11/26/2014
12:05 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Dangers Of Shopping Are Evolving

Point-of-sale malware is making brick-and-mortar shopping more dangerous. Online, attackers are beginning to value user accounts with payment information attached more than credit card details themselves.

Holiday shopping is dangerous. You could be tackled by other shoppers as you reach for the latest video game. You might go blind staring at your computer screen as you spend hours looking for a gift that is not only perfect, but will also arrive on your doorstep in time for you to smack a bow on it. There are other dangers, though -- and the risks are changing.

Shopping at brick-and-mortar stores is not necessarily any safer than shopping online anymore. In fact, Don Jackson, director of threat intelligence for PhishLabs, told Dark Reading this week that he would rather hand his credit card data to a Web form than to a salesperson.

Why the shift in threat posture? One reason for that is the spate of point-of-sale malware that has made headlines all year. Another is that retailers often work harder to secure their e-commerce sites than their brick-and-mortar shops.

That's not to say that e-commerce sites aren't without their risks. Yet, the kinds of risks are changing. Attackers are moving away from carding and starting to favor account takeover, as new research shows.

"This year, we have determined fraudsters are leveraging more sophisticated attack vectors, focusing increasingly on account takeover, as opposed to the common tactic of credit card cycling," says Ryan Wilk, director of customer success at NuData Security, in a report released Tuesday. "This shows us that thieves are beginning to value user accounts with payment information attached more than credit card details themselves. This puts additional burden on the e-commerce organization to protect their communities."

Researchers at ThreatMatrix are finding the same pattern. In a report last week, Alisdair Faulkner, chief products officer for ThreatMatrix said, "In addition to payment fraud this holiday shopping season, our biggest concern is the spike in the number of account takeovers we are seeing on retail websites. ThreatMetrix data shows an upswing in account takeover activity in the wake of recent massive data breaches -- and most retailers will be caught unprepared.

“Previously, guest checkouts represented the highest risk, but due to the prevalence of data breaches and the convenience of storing credit cards to make mobile purchases easier, fraudsters have found it just as easy to use a stolen username and password as it is to use compromised credit card information that has a shorter life span before being shut down."

The "convenience of storing credit cards to make mobile purchases easier" that Faulkner mentions becomes a greater concern as more shoppers use mobile devices to make purchases. Iovation predicted this week that about 40% of all retail transactions made between Black Friday and Cyber Monday this year will be made from mobile phones and tablets. This segment has been steadily increasing for years. Just five years ago, Iovation found that only 3% of the online retail transactions between Black Friday and Cyber Monday came from mobile devices.

Are you planning to get sore feet trudging around the shopping mall this season, or get sore fingers trolling the Internet? Do security risks affect your decision? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 9:37:18 AM
Re: So what is the correct approach?
@mejiac  Thanks! As far as Apple and Google getting into the mobile payment realm... well I think they're both just trying to get a piece of a business that's growing just fine without them.

Still, Apple Pay is supposed to add stronger multi-factor authentication to every purchase -- that's the good news. The maybe-not-such-good news is that the Apple Pay infrastructure makes you rely on Apple for the lion's share of your payment security -- moreso even than your bank. 

We wrote about it in September:  http://www.darkreading.com/apple-pay-ups-payment-security-but-pos-threats-remain/d/d-id/1315608
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 9:24:28 AM
Re: Glad to have an excuse to miss Black Friday
@David  Generally I hate shopping too, and do a lot online. But honestly, I miss some of the hustle and bustle, and the pretty lights and Christmas music playing, so I'll venture out into the fray just for the experience. I've even found the one cash register in the Times Square Toys R Us that never seems to have a line.  :)

But, I do feel it's a risk management issue. One of my favorite ways to shop is at the outdoor holiday markets they set up in some of the public parks in Manhattan. I worry about carrying cash, because those markets are a pickpocket's dream. But all the stalls in the market are small businesses using very small mobile credit card processing technology. I doubt that security is a big priority for them.

I HOPE that the wireless network for the merchants is separate from the free public wireless available in the park... but I think I ought to check on that.  :)  

 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
12/1/2014 | 9:20:17 AM
Re: Glad to have an excuse to miss Black Friday
But Amazon has gotten way too expensive. The same toy I got at Toysrus on sale for $55 this Thursday is being sold on Amazon for $130! So, happy Amazoning :-)
mejiac
50%
50%
mejiac,
User Rank: Apprentice
11/30/2014 | 12:08:30 PM
So what is the correct approach?
Great article Sarah!

"The "convenience of storing credit cards to make mobile purchases easier" that Faulkner mentions becomes a greater concern as more shoppers use mobile devices to make purchases."

If this is the case, then how come companies like Apple and Google are pushing for the use of more mobil based payment?

I agree that things are more riskier, and the thread of identity theft is greater than ever before.

I for one keep a close eye on all my transactions, and only utilize credit cards that have fraud protection policies.

I see this as something that is inevitable, and thus we need to be more cautiuous, since it's not a matter of if it'll happen or not, is more about "when?"

What does the community think?
Nemos
50%
50%
Nemos,
User Rank: Apprentice
11/30/2014 | 5:07:38 AM
Re: Glad to have an excuse to miss Black Friday
You dont feel safe while shopping in the mall ? , for most of the people is a joy procedure (especially for women's and kids). In addition you can try the small shops around the corner instead of the malls.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/26/2014 | 12:24:00 PM
Glad to have an excuse to miss Black Friday
I hate shopping, so if I'm incrementally safer doing it on Amazon than at the mall, hooray!
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.